Closed sherlock-admin closed 1 year ago
If vaultConfig.feeRate5BPS is a uint8 how can it be set to a value greater than 255?
I also do not think #56 is a duplicate of this issue, they refer to different fees.
I think this issue is invalid due to the uint8 restriction.
xiaoming90
medium
All Borrowed Assets Can Be Charged As Protocol Fees Due To Uncapped Fee
Summary
All borrowed assets can be charged as protocol fees due to uncapped fees.
Vulnerability Detail
Whenever a user borrows fCash to enter a vault, they have to pay a fee to Notional. The fee is charged against the total amount of assets borrowed from Notional.
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L259
Per the
Types
contract below, it was understood that thefeeRate5BPS
is allowed up to a 12.75% annualized fee only.https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/global/Types.sol#L461
The configuration of the vault is set by calling the
VaultAction.updateVault
function. Following is an example taken from the test script.https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/tests/test_cross_currency.py#L13
When the
VaultAction.updateVault
function is triggered, it will in turn call theVaultConfiguration.setVaultConfig
function.https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAction.sol#L27
Within the
VaultConfiguration.setVaultConfig
function, it will perform various input validation checks to ensure that the configuration is appropriate. However, it was observed that the function does not perform any validation check against thevaultConfig.feeRate5BPS
parameter. Therefore, the fee is unbounded, and it is possible to set it to an extremely high value causing most or all of the borrowed assets to be charged as fee.https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L163
Impact
The entire borrowed assets can be charged as a protocol fee due to the lack of an upper bound on the fee. Loss of assets for the users as all or majority of their borrowed assets went to the protocol as a fee.
Code Snippet
https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L259 https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/contracts/global/Types.sol#L461 https://github.com/sherlock-audit/2022-09-notional/blob/main/leveraged-vaults/tests/test_cross_currency.py#L13 https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/external/actions/VaultAction.sol#L27 https://github.com/sherlock-audit/2022-09-notional/blob/main/contracts-v2/contracts/internal/vaults/VaultConfiguration.sol#L163
Tool used
Manual Review
Recommendation
It is recommended to set an absolute cap on the maximum fee that can be charged.
Since the requirement is to allow up to a 12.75% annualized fee as per the comment within the
Types
contract below (See Line 471), consider including a validation check within theVaultConfiguration.setVaultConfig
function to ensure that the fee falls within the range (fee <= 12.75% annualized fee).